Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the DojoCode by and between Client and DojoCode Platform (the “Agreement”). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
Definitions
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” will have the meanings given to them in the GDPR.
“Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), and all other data protection laws of the EEA including laws of the European Union (“EU”), the United Kingdom (“UK”) and Switzerland, each as applicable, and as may be amended or replaced from time to time.
“Data Subject Rights” means all rights granted to Data Subjects by Data Protection Laws, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making.
“International Data Transfer” means any transfer of Client Personal Data from the EEA, UK or Switzerland to an international organization or to a country outside of the EEA, UK, or Switzerland, and includes any onward disclosure of Client Personal Data to another recipient within that country, as well as any onward transfer of Client Personal Data from the international organization or the country outside of the EEA, UK, or Switzerland to another country outside of the EEA, UK, or Switzerland.
“Client Personal Data” means any Personal Data that is subject to Data Protection Laws, for which Client or Third-Party Controller is the Controller, and which is Processed by DojoCode Platform to provide the Services to Client.
“Personnel” means any natural person acting under the authority of DojoCode Platform.
“Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data or otherwise subject to additional restrictions under Data Protection Laws.
“Standard Contractual Clauses” or “SCCs” mean the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.
“Sub-processor” means a Processor engaged by another Processor to carry out Processing on behalf of a Controller. “Third-Party Controller” means a Controller for which Client is a Processor.
“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022), available at this link
2. Scope and Applicability
The DPA applies to Processing of Client Personal Data by
DojoCode Platform to provide the Services.
The subject matter, nature, and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Appendix I and the Agreement.Client is a Controller and appoints DojoCode Platform as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers.
To the extent Client is a Processor on behalf of a Third-Party Controller, Client engages DojoCode Platform as a Sub-processor to Process Client Personal Data on behalf of that Third-Party Controller. When Client is acting on behalf of Third-Party Controller(s), then Client: (i) is the single point of contact for DojoCode Platform; (ii) must obtain all necessary authorizations from such Third-Party Controller(s); (iii) undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller(s); and (iv) is responsible for compliance with the requirements of Data Protection Laws applicable to Processors. Client acknowledges that DojoCode Platform may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, and product development. DojoCode Platform is the Controller for such Processing and will Process such data in accordance with Data Protection Laws.
3. Duration of this DPA
This DPA is effective for as long as DojoCode Platform Processes Client Personal Data on behalf of Client.
4. Collecting, Processing and Subprocessing of Client Personal Data
Client Data Collection and Processing
Client will comply with its obligations under the Data Protection Laws in respect of its collecting and processing of Client Personal Data and any processing instructions it issues to DojoCode Platform. Client represents that it has all rights, consents, and authorizations necessary for DojoCode Platform to process Client Personal Data pursuant to Data Protection Laws and the Agreement.
Client authorizes DojoCode Platform, in providing the Services, to Process Client Personal Data in accordance with applicable laws.
Upon notice in writing to Client, DojoCode Platform may terminate the Agreement if DojoCode Platform has determined, or has reason to believe, that Client is not in compliance with Data Protection Laws as a Controller or Processor.
DojoCode Platform Data Processing
DojoCode Platform will comply with its obligations as a Processor under applicable Data Protection Laws and will process Client Personal Data to provide Services and in accordance with Client’s documented instructions. Client’s instructions are documented in this DPA and the Agreement. Client agrees that this DPA is its complete and final agreement with DojoCode Platform in relation to the Processing or sub-processing of Client Personal Data.
DojoCode Platform will comply with documented instructions of Client related to Processing Client Personal Data. Unless prohibited by applicable law, DojoCode Platform will inform Client if DojoCode Platform is subject to a legal obligation that requires DojoCode Platform to Process Client Personal Data in contravention of Client ’s documented instructions.
Client may reasonably issue additional instructions as necessary to comply with Data Protection Laws. DojoCode Platform may charge a reasonable fee to comply with any additional instructions.
Upon notice in writing, Client may terminate the Agreement if DojoCode Platform declines to follow Client’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in this DPA, to the extent such instructions are necessary to enable DojoCode Platform to comply with Data Protection Laws.
Sub-processing
Client hereby authorizes DojoCode Platform to engage Sub-processors, including its subsidiaries. A list of DojoCode Platform’s current Sub-processors is available upon request to dojocode.challenges@gmail.com. Subject to any applicable disclaimers or limitations of liability, DojoCode Platform remains responsible for the acts, errors, or omissions of its sub-processors to the extent applicable to DojoCode Platform’s obligations under this DPA.
DojoCode Platform will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Laws.
DojoCode Platform will inform Client prior to any intended change to Sub-processors. Client may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following DojoCode Platform’s notification of the intended change. Client and DojoCode Platform will work together in good faith to address Client’s objection. If DojoCode Platform chooses to retain the Sub-processor, DojoCode Platform will inform Client at least thirty (30) days before authorizing the Sub-processor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
5. Technical and Organizational Security Measures
Measures by DojoCode Platform
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, prior to the commencement of any processing, DojoCode Platform shall implement, establish and maintain commercially reasonable technical and organizational security measures. DojoCode Platform shall present and document such technical and organizational security measures for review by Client. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. DojoCode Platform may, from time to time, modify such technical and organizational security measures, so long as such measures do not materially reduce the protection afforded to Client Personal Data, and are reasonably documented.
Measures by Client
Client is responsible for using and configuring the Services to enable Client to comply with Data Protection Laws, including implementing Client’s own appropriate and adequate technical and organizational measures. Client shall provide DojoCode Platform with a copy of such measures and notify DojoCode Platform in writing of any modifications. If DojoCode Platform Developers use Client devices, laptops, or computers, Client shall present and document all technical and organizational security measure for review by DojoCode Platform. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Client may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.
Personnel
DojoCode Platform will take steps to ensure that all Personnel authorized DojoCode Platform to Process Client Personal Data are subject to an obligation of confidentiality.
Prohibited Data
Client acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as financial or health information). Client represents and warrants that neither Client nor any entity acting for or on behalf of Client will submit to DojoCode Platform any Client Personal Data which is regulated under the Health Insurance Portability and Accountability Act without a separate Business Associate Agreement. In such events, DojoCode Platform will take reasonable and appropriate steps to notify Client of its receipt of any prohibited data.
6. Notification and Assistance
DojoCode Platform will notify Client without undue delay after DojoCode Platform becomes aware of a Personal Data Breach involving Client Personal Data.
DojoCode Platform will provide information relating to the Personal Data Breach as reasonably requested by Client to the extent such information is available to DojoCode Platform. DojoCode Platform will use reasonable efforts to assist Client in mitigating, where commercially reasonable and technically feasible, the adverse effects of a Personal Data Breach. Taking into account the nature of the Processing, and the information available to DojoCode Platform, DojoCode Platform will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client ’s own obligations under Data Protection Laws to: (i) comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments and prior consultations with Supervisory Authorities; and (iii) notify a Personal Data Breach. DojoCode Platform may charge a reasonable fee to Client for support services rendered in connection with this Section 7, which are not included in the description of the Services, and which are not attributable to failures on the part of DojoCode Platform. If such support services reveal the failure of DojoCode Platform to materially comply with its obligations under applicable Data Protection Laws or as otherwise set forth in this DPA, DojoCode Platform and Client shall each bear their own costs related to assistance.
DojoCode Platform’s notification of or response to a Personal Data Breach pursuant to this Section 7 will not be construed as an acknowledgement by DojoCode Platform of any fault or liability with respect to the such Personal Data Breach.
7. Deletion or Return
Pursuant to the Agreement, DojoCode Platform will delete or return Client Personal Data that in its possession and control as set forth in the Agreement except to the extent DojoCode Platform is required by law to retain any Client Personal Data. Client may request return of Client Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, DojoCode Platform will delete all remaining copies of Client Personal Data within thirty (30) days after returning Client Personal Data to Client. DojoCode Platform will notify Client prior to deletion.
8. Cooperation, Supervision and Audit
Request for Data Protection
Upon notice from data subjects or data protection authorities (including requests from individuals seeking to exercise their rights under Data Protection Laws) to the extent regarding the Processing of Client Personal Data by DojoCode Platform pursuant to the Agreement, DojoCode Platform will forward such requests to Client. Unless legally required to do so, DojoCode Platform will not respond to such communication without Client’s authorization. If DojoCode Platform is required to respond to any request, DojoCode Platform will notify Client and provide Client with a copy of the request, unless legally prohibited from doing so.
Client Requests
DojoCode Platform will cooperate with Client, at Client’s sole cost and expense, to respond to any requests from individuals or data protection authorities relating to the processing of Client Personal Data under this DPA to the extent that Client may be unable to access relevant Client Personal Data.
DojoCode Platform shall inform Client if DojoCode Platform believes any instruction or request violates Data Protection Laws. Client shall document immediately any oral instructions in text form.
Audit Requests
DojoCode Platform audits its Technical and Organizational Security Measures against data protection and information security standards on a regular basis. Such audits are conducted by DojoCode Platform’s internal team or a designated third party as engaged by DojoCode Platform. Upon written request and subject to the confidentiality provisions of the Agreement, DojoCode Platform will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and DojoCode Platform.
DojoCode Platform may request audits of Client’s Technical and Organizational Security Methods to ensure compliance with this DPA. Client will make available to DojoCode Platform a summary of the most recent audit report and any other document reasonably required by DojoCode Platform.
Either party requesting such audit information does so at their sole expense, and agrees to remunerate the other party of any costs associated with such audit requests.
Client’s request for an audit will not require DojoCode Platform either to disclose to Client or its third-party auditor, or to allow Client or its third-party auditor to access:
Any data of any other client of DojoCode Platform;
DojoCode Platform’s internal accounting or financial information;
Any trade secrets of DojoCode Platform or any client of DojoCode Platform;
Any information that, in DojoCode Platform’s reasonable opinion, could (i) compromise the security of DojoCode Platform systems or premises; or (ii) cause DojoCode Platform to breach its obligation under applicable law or its security and/or privacy obligations to any client or any third party; or;
Any information that Client or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligation under Data Protection Laws.
9. International Data Transfers
DojoCode Platform may transfer and process Client Personal Data as requested by Client in other locations around the world where DojoCode Platform and its Sub-processors maintain operations as necessary to provide Services.
Client hereby authorizes DojoCode Platform to perform International Data Transfers: to any country subject to a valid adequacy decision of the EU Commission or the competent authorities, as appropriate;
to the extent authorized by Supervisory Authorities or by the competent authority on the basis of an organization’s binding corporate rules;
to any data importer with whom DojoCode Platform has entered into SCCs.
By signing this DPA, Client and DojoCode Platform hereby agree to include the provisions of module two (Controller to Processor) and, to the extent Client is a Processor on behalf of a Third-Party Controller, module three (Processor to Sub-processor) of the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client ; the “data importer” is DojoCode Platform; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Belgium; the courts in Clause 18(b) are the Courts of Belgium; Annexes I and II to the SCCs are Appendixes I and II to this DPA respectively.
By signing this DPA, Client and DojoCode Platform conclude the UK Addendum, which applies to International Data Transfers out of the UK in addition to the Standard Contractual Clauses, and which is hereby incorporated, and Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Client and the “Importer” is DojoCode Platform, their details and signatures are set forth in the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in section 10.3 of this DPA; (iii) in Table 3, “Annex 1A” and “Annex 1B” to the “Approved EU SCCs” is Appendix I to this DPA and “Annex II” to the “Approved EU SCCs” is Appendix II to this DPA; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
If DojoCode Platform’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of DojoCode Platform’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and DojoCode Platform will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative SCCs are approved by the Supervisory Authorities or the new version of UK Addendum is approved, DojoCode Platform reserves the right to amend the Agreement and this DPA by adding to or replacing, the SCCs or UK Addendum that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.
10. Notifications
Client will send all notifications, requests, and instructions under this DPA to DojoCode Platform via email to: dojocode.challenges@gmail.com.
DojoCode Platform will send all notifications under this DPA to Client’s contact indicated in the Agreement.
11. Limitations of Liability
To the extent permitted by applicable law, where DojoCode Platform has paid compensation, damages, or fines, DojoCode Platform is entitled to claim back from Client that part of the compensation, damages, or fines, corresponding to Client ’s part of responsibility for the compensation, damages or fines. Parties agree that the total combined liability limit (including indemnifications of any kind) to one another shall be set as provided under the terms of the Agreement as executed between the Parties.
12. Miscellaneous
DojoCode Platform may modify the terms of this DPA as provided in the Agreement. DojoCode Platform will notify Client of any such changes and effectiveness of such changes in accordance with this DPA or the Agreement. Changes to this DPA include, but are not limited to, the following circumstances: If required or ordered to do so by any supervisory, judicial, governmental, or regulatory entity.
As required to implement or adhere to standard contractual clauses, various codes of conducts, policies, rules, procedures and any other mechanisms as required under Data Protection Laws.
In the event of a conflict between the Agreement and this DPA with respect to the subject matter of this DPA, the terms of this DPA shall control to the extent of such conflict.
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
APPENDIX I
DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data exporter:
Name: Client
Contact person’s name, position and contact details Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement. Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller
Data importer:
Name: DojoCode Platform Inc.
Address: 42 Axente Sever, Cluj-Napoca, Romania.
Contact person’s name, position and contact details: Mr. Alexandru Surducan, HR, dojocode.challenges@gmail.com. Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
Role (controller/processor): Processor on behalf of data exporter, or Sub-processor on behalf of Third-Party Controller
B. DESCRIPTION OF TRANSFER
Categories of Data Subjects whose Personal Data is transferred:
Data subjects include Clients and the individuals about whom data is provided to DojoCode Platform via the Services by (or at the direction of) Client.
Categories of Personal Data transferred:
Data relating to Clients or other individuals provided to DojoCode Platform via the Services, by (or at the direction of) Clients. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of DojoCode Platform’s services, and demographic information.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Sensitive data is pseudonymized.
None anticipated.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
On a continuous basis during the duration of the Services. Nature of the processing:
The Personal Data will be processed and transferred as described in the Agreement.
Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Pursuant to Clause 13, the supervisory authority of the EEA country where (i) Client is established; or where (ii) the EU representative of Client is established; or where (iii) the data subjects whose personal data are transferred under the SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
APPENDIX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Confidentiality
Electronic Access Control
No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
Internal Access Control (permissions for user rights of access to and amendment of data)
No unauthorized Reading, Copying, Changes or Deletions of Data within the system as approvals are managed centrally, e.g., rights authorization concept, need-based rights of access, logging of system access events
Isolation Control
The isolated Processing of Personal Data, which is collected for differing purposes, e.g., multiple Client support, sandboxing; Employee Control
Employees are bound by written confidentiality agreements Employees receive training on data privacy and data security Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
The processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
Integrity
Data Transfer Control
No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
Data Entry Control
Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
Job Control
DojoCode Platform’s employees and contractors may only process Client and personal data strictly in accordance with the Agreement’s obligations and Client instructions.
Availability and Resilience
Availability Control
Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
Rapid Recovery
Procedures for Regular Testing, Assessment and Evaluation Data Protection Management
Incident Response Management;
Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
Order or Contract Control
No third-party data processing as per Article 28 GDPR without corresponding instructions from Client, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls, duty of pre-evaluation, supervisory follow-up check.